1 / 53

The Ten Immutable Laws of Microsoft SharePoint Security

OSP201. The Ten Immutable Laws of Microsoft SharePoint Security. Rick Taylor Senior Technical Architect PERFICIENT. Who am I???. Who Am I?. The Pleasurable. The Powerful. The Guardian of Lost Souls. The Indestructible. Rick Taylor. Slick Rick – if you’re nasty. Agenda.

morey
Download Presentation

The Ten Immutable Laws of Microsoft SharePoint Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OSP201 The Ten Immutable Laws of Microsoft SharePoint Security Rick Taylor Senior Technical Architect PERFICIENT

  2. Who am I??? Who Am I? The Pleasurable The Powerful The Guardian of Lost Souls The Indestructible Rick Taylor Slick Rick – if you’re nasty

  3. Agenda • The OSI Model • Attack Surfaces • Best Practices at securing each layer

  4. What’s the point? • Security is more than just AuthN/AuthZ • Security is like dressing for the cold (do it in layers; aka: DiD (Defense in Depth) ) • In Security, the WHY is more important than the HOW

  5. A Word about Security • Security and complexity are often inversely proportional. • Security and usability are often inversely proportional. • Security is an investment, not an expense. • "Good enough" security now, is better than "perfect" security ...never • There is no such thing as "complete security" in a usable system. • A false sense of security is worse than a true sense of insecurity. • Your absolute security is only as strong as your weakest link. • Concentrate on known, probable threats. • Security is directly related to the education and ethics of your users. • Security is not a static end state, it is an interactive process. • There are few forces in the universe stronger than the desire of an individual to get his or her job accomplished. • You only get to pick two: fast, secure, cheap. • In the absence of other factors, always use the most secure options available. • Security ultimately relies - and fails - on the degree to which you are thorough. People don't like to be thorough. It gets in the way of being done.

  6. What is the OSI Model?

  7. Law #1: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore

  8. What is Layer 1 • Defines electrical and physical specifications • Defines relationship between a device and its medium (Copper, optical, radio, etc)

  9. Layer 1 Attack Surfaces • The medium • Cable • Air • The host • Via Keyboard • Via conduit (RDP host)

  10. Securing Layer 1 - continued • Locks • Cages

  11. LAW #2 - If a bad guy can persuade you to run his program on your computer, it's not your computer anymore

  12. What is Layer 2? How data is transferred from node to node across a network. • Sublayers • Media Access Control (MAC) • Logical Link Control (LLC) • Application Protocol Convergence (APC) • Protocols • ARP • PPP

  13. Layer 2 Attack Surfaces • Wireless Access Points • Wardriving • Hubs • Broadcasting (rare) • Switches (ARP) • Man-in-the-Middle Attacks

  14. Securing Layer 2 • Wireless Networks • Sniffers • ARP flooding

  15. Securing Layer 2 - continued • Strong passwords on wireless routers • Strong encryption on wireless networks • Use ARP Defense software/hardware • Use DHCP Snooping • Track the physical location of hosts. • Ensure that hosts only use the IP addresses assigned to them. • Ensure that only authorized DHCP servers are accessible.

  16. Law #3: If a bad guy can view your conversation, you have just invited him to tell everyone

  17. What is Layer 3? • Performs network routing functions • 3 sublayers: • Subnetwork Access • Subnetwork Dependent Convergence • Subnetwork Independent Convergence • Protocols • IP • Services • ICMP

  18. Layer 3 Attack Surfaces • Unused Open Ports • Commonly Open Ports • Packet inspection

  19. Enumerating Shares

  20. Enabling IPSec via GPO

  21. Benefits of IPsec IPsec is a suite of protocols that allows secure, encrypted communication between two computers over an unsecured network • IPsec has two goals: to protect IP packets and to defend against network attacks • Configuring IPsec on sending and receiving computers enables the two computers to send secured data to each other • IPsec secures network traffic by using encryption and data signing • An IPsec policy defines the type of traffic that IPsec examines, how that traffic is secured and encrypted, and how IPsec peers are authenticated

  22. Securing Layer 3 • Prevent ICMP abuse • DDoS • Add “no ip directed-broadcast” to the router (Smurf bounce) • Drop (disable) ICMP - *maybe* to prevent malware from “Phoning Home” • Use IPSec • Use Network Policy Processing

  23. START Yes No Go to next policy Does connection attempt match policy conditions? Are there policies to process? No Yes Yes Is the remote access permission for the user account set to Deny Access? No Reject connection attempt Yes No Reject connection attempt Is the remote access permission for the user account set to Allow Access? Is the remote access permission on the policy set to Deny remote access permission? No Yes Accept connection attempt Yes No Does the connection attempt match the user object and profile settings? Network Policy Processing

  24. Law #4: If a bad guy can alter the operating system on your computer, it's not your computer anymore

  25. What is Layer 4? • Responsible for reliable communication between endpoints • Protocols • Connection-Oriented • TCP • Connectionless • UDP

  26. Layer 4 Attack Surfaces • The operating system (OS Fingerprinting)

  27. Securing Layer 4 • Use routers between network segments • Use private IP addresses on internal network • Use SSL • PEN test your network • Enable “Fingerprint Scrubbing” on routers

  28. Securing Layer 4 - continued • Alter the OS kernel • Change the default IP time-to-live • Change the initial TCP window size • Modify network-related registry entries

  29. Law #5: If you allow a bad guy to upload programs to your website or network, it's not your stuff any more

  30. What is Layer 5? • Responsible for connections between hosts • Establish, Manage, Termination • Checkpointing • Protocols • Remote Procedure Calls (RPC)

  31. Layer 5 Attack Surfaces • Session hijacking • DNS Poisoning • DDoS

  32. Quick Test • Step 1 Browse to http://bad.ketil.froyn.name/ • Step 2 Browse to http://www.example.com • If you see a link to RFC 2606 you are safe. • If you see a page saying POISONED…update your resume…jk

  33. Securing Layer 5 • Choose your authentication protocols wisely • Less secure protocols maybe be tunneled through more secure protocols • Configure DNS correctly • Specify IP address of authorized DNS servers

  34. What is Layer 6? • Presentation = Translation • Responsible for representing data in different formats • Responsible for serialization of objects to and from XML

  35. Layer 6 Attack Surfaces • NetBIOS • SMB • IPC$

  36. Securing Layer 6 • Lock down Null Session capability • For Clients: • HKLM/System/CurrentControlSet/Control/LSA/RestrictAnonymous • 0 – Default setting. • 1 – Null session can not be used to enumerate shares or user names • For Servers • HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymous • 0 – Default setting. Null sessions can be used to enumerate shares • 1 – Null sessions can not be used to enumerate shares • HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM • 0 – Null sessions can enumerate user names • 1 – Default setting. Null sessions can not enumerate user names

  37. Law #6: Absolute anonymity isn't practical, in real life or on the Web

  38. What is Layer 7? • Top layer of OSI model • Interfaces directly with applications and their processes. • Most of us focus primarily (if not exclusively) at this layer

  39. Layer 7 Attack Surfaces • DNS • FTP • SMTP • Telnet • SQL • Etc, etc, etc

  40. Securing Layer 7 • Use GPO policies to block software installation • Use GPO policies to prevent misuse of accounts • Use NAP to enforce access policies • Use IPSec to secure host to host and host to server communications • Follow Best Practices for securing service accounts

  41. Law #7: Weak passwords trump strong security

  42. Law #8: A computer is only as secure as the administrator is trustworthy • Service Accounts • Farm • Setup • Application Pool • SQL

  43. SharePoint Service Accounts • SQL Server Service Account • SharePoint Setup User Account • SharePoint Farm Service Account

  44. SharePoint Service Accounts • Fewest is best • Least Privilege is best • Some rights will change (and not all are “Service” accounts)

  45. Law #9: Your infrastructure is as strong as your weakest link

  46. Law #10: Technology is not a panacea

  47. 10 Immutable Laws of Security Law #1: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore Law #2: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore Law #3: If a bad guy can view your conversation, you have just invited him to tell everyoneLaw #4: If a bad guy can alter the operating system on your computer, it's not your computer anymore Law #5: If you allow a bad guy to upload programs to your website or network, it's not your stuff any more Law #6: Absolute anonymity isn't practical, in real life or on the Web Law #7: Weak passwords trump strong security Law #8: A computer is only as secure as the administrator is trustworthy Law #9: Your infrastructure is only as strong as your weakest linkLaw #10: Technology is not a panacea

  48. Thank you for attending! Please be sure to fill out your session evaluation!

  49. Resources • Connect. Share. Discuss. http://northamerica.msteched.com Learning • Sessions On-Demand & Community • Microsoft Certification & Training Resources www.microsoft.com/teched www.microsoft.com/learning • Resources for IT Professionals • Resources for Developers • http://microsoft.com/technet • http://microsoft.com/msdn

More Related